defmodule Glimesh.AccountsProfileTest do
  use Glimesh.DataCase
  use Bamboo.Test

  alias Glimesh.Accounts.Profile

  describe "normal safe user markdown" do
    test "cannot inject local urls" do
      bad_markdown = "[link](https://google.com)"
      bad_html = "<a href=\"https://google.com\">link</a>"

      assert Profile.safe_user_markdown_to_html(bad_markdown) =~ bad_html
    end
  end

  describe "markdown xss injection" do
    @bad_links [
      {"<&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>",
       "&lt;&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;"},
      {"[a](javascript://www.google.com%0Aprompt(1))", "<a>a</a>"},
      {"[test](javascript://%0d%0aprompt(1))", "<a>test</a>"},
      {"[clickme](vbscript:alert(document.domain))", "<a>clickme</a>"},
      {"_http://danlec_@.1 style=background-image:url();background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);//",
       "<em><a href=\"http://danlec\">http://danlec</a></em>@.1 style=background-image:url();background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);//"},
      {"<http://<meta http-equiv=\"refresh\" content=\"0; url=http://danlec.com/\">>",
       "&lt;<a href=\"http://%3Cmeta\">http://&lt;meta</a> http-equiv=”refresh” content=”0; url=<a href=\"http://danlec.com/%22%3E%3E\">http://danlec.com/“&gt;&gt;</a>"},
      {"[a](javascript:alert(document.domain&#41;)",
       "[a](javascript:alert(document.domain&amp;#41;)"},
      {"[a](Javas&#99;ript:alert(1&#41;)", "[a](Javas&amp;#99;ript:alert(1&amp;#41;)"},
      {"[a](javascript://%0d%0aconfirm(1);com)", "<a>a</a>"},
      {"<javascript:prompt(document.cookie)>", "&lt;javascript:prompt(document.cookie)&gt;"},
      {"![a](https://www.google.com/image.png\"onload=\"alert(1))",
       "  <img src=\"https://www.google.com/image.png\" alt=\"a\" />"},
      {"[a](javascript:window.onerror=confirm;throw%201)", "<a>a</a>"},
      {"[a](Javas%26%2399;ript:alert(1&#41;)", "[a](Javas%26%2399;ript:alert(1&amp;#41;)"},
      {"[XSS](.alert(1);)", "<a href=\".alert(1);\">XSS</a>"},
      {"[a](javascript://www.google.com%0Aalert(1))", "<a>a</a>"},
      {"[a](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)",
       "<a>a</a>"},
      {"[a](JaVaScRiPt:alert(1))", "<a>a</a>"},
      {"[test](javascript://%0d%0aprompt(1);com)", "<a>test</a>"},
      {"</http://<?php><h1><script:script>confirm(2)",
       "<a>/http://&lt;?php</a>&lt;h1&gt;&lt;script:script&gt;confirm(2)"},
      {"[a]('javascript:alert(\"1\")')", "<a>a</a>"},
      {"[a](javascript:confirm(1)", "[a](javascript:confirm(1)"},
      {"[a](javascript:this;alert(1))", "<a>a</a>"},
      {"[text](http://danlec.com \" [@danlec](/danlec) \")",
       "<a href=\"http://danlec.com\" title=\" [@danlec](/danlec) \">text</a>"},
      {"[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)",
       "<a>notmalicious</a>"},
      {"![a](\"onerror=\"alert(1))", "  <img src=\"\" alt=\"a\" />"},
      {"[ ](http://a?p=[[/onclick=alert(0) .]])",
       "<a href=\"http://a?p=[[/onclick=alert(0) .]]\"> </a>"},
      {"[a](javascript&#58this;alert(1&#41;)", "[a](javascript&amp;#58this;alert(1&amp;#41;)"},
      {"[ ](https://a.de?p=[[/data-x=. style=background-color:#000000;z-index:999;width:100%;position:fixed;top:0;left:0;right:0;bottom:0; data-y=.]])",
       "<a href=\"https://a.de?p=[[/data-x=. style=background-color:#000000;z-index:999;width:100%;position:fixed;top:0;left:0;right:0;bottom:0; data-y=.]]\"> </a>"},
      {"[a](javascript:alert&#65534;(1&#41;)", "[a](javascript:alert&amp;#65534;(1&amp;#41;)"},
      {"[a](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))", "<a>a</a>"},
      {"[a](javascript:this;alert(1&#41;)", "[a](javascript:this;alert(1&amp;#41;)"},
      {"[notmalicious](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie)",
       "<a>notmalicious</a>"},
      {"![a](javascript:prompt(document.cookie))", "<img alt=\"a\" />"},
      {"[citelol]: (javascript:prompt(document.cookie))", ""},
      {"[a](javascript:prompt(document.cookie))", "<a>a</a>"},
      {"[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)", "<a>a</a>"}
    ]

    ExUnit.Case.register_attribute(__ENV__, :pair)

    for {lhs, rhs} <- @bad_links do
      @pair {lhs, rhs}
      left_hash = :crypto.hash(:sha, lhs) |> Base.encode16()

      test "bad_links: #{left_hash}", context do
        {l, r} = context.registered.pair

        out = Profile.safe_user_markdown_to_html(l)

        assert out =~ r
      end
    end

    test "cannot inject local urls" do
      bad_markdown = "[a](javascript:prompt(document.cookie))"
      bad_html = "<a href=\"javascript:prompt(document.cookie)\">a</a>"

      refute Profile.safe_user_markdown_to_html(bad_markdown) =~ bad_html
    end
  end
end
